I have a need to connect a branch office with multiple WAN's to multiple devices:

wan1 modem

Public IP: 2.2.2.2

Private IP: 192.168.20.1

VLAN tag: 20

wan2 modem

Public IP: 3.3.3.3

Private IP: 192.168.30.1

VLAN tag: 30

wan3 modem

Public IP: 4.4.4.4

Private IP: 192.168.40.1

VLAN tag: 40

device 1

Physical Interface eth1

Interface 1 IP: 192.168.20.100 w VLAN tag 20

Interface 2 IP: 192.168.30.100 w VLAN tag 30

Interface 3 IP: 192.168.40.100 w VLAN tag 40

device 2

Physical Interface eth1

Interface 1 IP: 192.168.20.101 w VLAN tag 20

Interface 2 IP: 192.168.30.101 w VLAN tag 30

Interface 3 IP: 192.168.40.101 w VLAN tag 40

Each WAN modem has only one LAN interface available.

I would like to connect each of the three modems to a single switch, tagging traffic as above, so that multiple devices may access the WAN's as needed.

I am totally new to VLANs so I am probably missing the point, but this configuration (in my testing) does not appear to require any configuration of the switch - the devices just all need to agree on VLAN tags.

Why would somebody require a managed or "smart" switch in this configuration? Why might I consider getting one?

2 Answers
2

The central reason for a smart/managed switch would be to actually implement the vLANs. If you use a "dumb" switch or hub you have no guarantees by that device that the traffic is actually restricted to the participating devices in each vLAN.

A quick and simple example. Say we have three devices on a switch (A, B, and C). A and B are in a vLAN; B and C are in another vLAN. If it's a "dumb" switch then broadcast traffic will be forwarded to all ports (A's broadcast traffic will reach C; and vice versa). If it's a "hub" instead of a switch, then all traffic would be sent to all devices.

The next important question is whether you care. If you fully trust A, B, and C to see and communicate with each other, then there's really no "harm" in this configuration. A and C would know they aren't supposed to be talking on each others vLAN and wouldn't. The problem comes when you can't fully trust one or the other, as in the case where one is an Internet connected CPE. At that point you would have to hope that no malicious packets are transmitted over the Internet, vLAN Hopping or whatever is necessary to compromise your network.

Using vLANs without a smart/managed switch has all the security of overloaded subnets (using two non-overlapping subnets on the same broadcast domain). As mentioned above, the lack of security isn't necessarily a problem, though you don't get the benefits of segmented broadcast domains either. One small potential problem is that other people working on this network may make certain assumptions about the security based on the presence of some vLAN configuration - wrong assumption or otherwise, it could lead to a security problem as well.

If your WAN modems are all talking with VLAN-tagged frames, then no, you don't require a managed switch (as long as your unmanaged device passed tagged frames through unchanged.)

However, many WAN CPEs (routers/modems/etc) are incapable of setting a tag, or are managed by an ISP who won't configure them that way. In that type of setup, each modem has an untagged connection to a managed swtich, which then applies the VLAN tag to the frame, passing it along to a router or other device over a tagged trunk port.